CVE-2024-57768
find by Chaitin Security Research Lab
Vulnerability Product: 点狮/OA-CRM-HRM-WMS-点狮
Vulnerability version: before 2025.01.01
Vulnerability type: SQL injection
Vulnerability Details:
- By analyzing the WEB-INF/admin/sys/role/edit.html:85 path, it is found that when the user saves the role information on the edit page and clicks the Save button, the URL will be directly specified to verify whether the role identifier already exists. The parameter value of the verification is sysRole.key. By analyzing the request path, it can be known that the operation is completed in the validRoleKey() method of the role check page.
- Coming to the validRoleKey() method in com/pointlion/mvc/admin/sys/role/RoleController.java:185, the parameter value will be obtained directly from the user-side model and passed to the getRoleByRoleKey() method.
- Enter the getRoleByRoleKey() method in com/pointlion/mvc/common/model/SysRole.java:185. The parameter value passed by the user is directly concatenated with the SQL query statement and passed to the findFirst() method. This process does not process the parameters in any way.
- Track the findFirst() method to /Users/admin/.m2/repository/com/jfinal/jfinal/4.6/jfinal-4.6.jar!/com/jfinal/plugin/activerecord/Model.class:540 and return the SQL statement just concatenated to the findFirst() method of the /Users/admin/.m2/repository/com/jfinal/jfinal/4.6/jfinal-4.6.jar!/com/jfinal/plugin/activerecord/Model.class:534 path. In this method, the SQL query statement is directly executed and the result is returned. During the whole process, the parameter sysRole.key is not filtered or escaped. Therefore, the parameter sysRole.key is controllable, and there is a SQL injection vulnerability here.
- Construct POC, log in to the backend, and access the router
http://localhost:8089/JPointLion_war_exploded/admin/sys/role/validRoleKey?sysRole.key=1'+and+updatexml(1,concat(0x7e,user(),0x7e),1)--+-
